Project Description

The keys in db or mok can be used to verify boot loader and kernel binary for booting. But upstream kernel doesn't trust them for enrolling to trusted keyring because they are enrolled outside the boundaries of kernel. Which means that IMA can not use db/mok keys for verification.

Currently if users/partners want to enroll their keys to the kernel trusted keyring, the user key must be signed by kernel's build-in key. But SUSE will not sign any user key. In upstream, there have some known technologies against this situation:

  • CONFIGSYSTEMEXTRA_CERTIFICATE Reserve a space in kernel binary for enrolling user's key.

  • MokListTrustedRT A new MOK variable be introduced. User can use this variable to tell shim and kernel that the keys in MOK can be trusted by kernel. Which means keys will be enrolled to trusted keyring.

Goal for this Hackweek

Find a good way for SLE/openSUSE user for enrolling their key to trust keyring in kernel. IMA should also trust those keys.

Resources

kernel, shim, mokutil

Looking for hackers with the skills:

security shim kernel mok

This project is part of:

Hack Week 21

Activity

  • 11 months ago: joeyli started this project.
  • 11 months ago: jzerebecki liked this project.
  • 11 months ago: joeyli added keyword "security" to this project.
  • 11 months ago: joeyli added keyword "shim" to this project.
  • 11 months ago: joeyli added keyword "kernel" to this project.
  • 11 months ago: joeyli added keyword "mok" to this project.
  • 11 months ago: joeyli originated this project.

  • Comments

    Similar Projects

    Rancher Token Revoker by mbolot

    [comment]: # (Please use the project descriptio...


    Sandboxed USB Inspection by nguyens

    [comment]: # (Please use the project descriptio...


    Create tool for managing RPM package signing keys by dheidler

    [comment]: # (Please use the project descriptio...


    Run sandboxed Firefox with image and sound inside a container by nguyens

    [comment]: # (Please use the project descriptio...


    Create a DRM driver for VGA video cards by tdz

    Yes, those [VGA video cards](https://en.wikiped...


    Modular kernel packaging by mwilck

    Project Description

    Create a PoC for a mo...


    Authenticated hashes for BTRFS by dsterba

    Project Description

    Implement a checksum ...


    Understand and review klp-convert patchset by mpdesouza

    [comment]: # (Please use the project descriptio...


    early stage kdump support by mbrugger

    [comment]: # (Please use the project descriptio...